Defence

Going Dark:

North Korea’s Dramatic Increase in Cyber Secrecy

Historic steps have been taken recently to de-escalate aggression in the Korean peninsula, particularly in regards to North Korea’s nuclear programme. However, more quietly, the North Korean regime has been dramatically shifting its cyber activity in recent months. Callum Tyndall investigates whether the nation’s online activity should be a new source of concern

On April 27, North Korean leader Kim Jong Un and South Korean President Moon Jae met for a historic summit. It was the first time leaders of the two countries had met in more than a decade, and the first time a North Korean leader had entered South Korea since the Korean War. The meeting resulted in promises such as the formal ending of the Korean War, technically only on pause since 1953, and working on denuclearisation.

Already, speakers at the border of the demilitarised zone that blast everything from news reports to pop music have begun to be dismantled by the South (and reportedly the North is reciprocating) and there is now early movement towards arranging a meeting between Kim and Trump. All of this is notable and positive, regardless of whether we wish to give credit to Trump’s Twitter aggression or South Korea’s diplomacy.

However, aside from the fact that several of the agreements from the meeting had already been made in the past and collapsed before coming to fruition, there is reason to believe that North Korea is not suddenly pivoting towards becoming a model of Western values. While American and South American leaders, for sensibly diplomatic reasons, are busy praising Kim and his regime for their openness and honour, new research has been released by Recorded Future, a cyber threat intelligence provider, which details a dramatic shift in North Korean cyber activity over the last six months. Far from transparent, the regime seems to be swiftly moving towards behaviour designed to hide from foreign scrutiny.

The triumph of ‘transparency’: Performative honesty wins North Korea praise

In July 2017, Recorded Future published research about the cyber activity of North Korea’s leadership and ruling elite. Its findings showed that although internet access is massively restricted in the country, those members of the nation’s upper echelons that do have access tend to use the internet in a way that would be very familiar to a Western user.

They, according to the research’s summary, “are actively engaged in Western and popular social media, regularly read international news, use many of the same services such as video streaming and online gaming and above all, are not disconnected from the world at large or the impact North Korea’s actions have on the community of nations.” And yet, when the company revisited its analysis in December, it found that North Korean leadership had not only completely abandoned Western social media but also dramatically increased their operational security procedures.

“What Kim is saying to the world and what his leadership team are doing appear to be two different things.”

In July, Recorded Future’s data showed that North Korean leadership heavily consumed western social media, with Facebook receiving more than double the daily usage of any of its Chinese-language counterparts. By contrast however, the dataset from December 2017 to March 2018 shows almost no Facebook and Instagram activity while usage of Chinese services such as Alibaba, Tencent and Baidu has skyrocketed. Although some Western services did remain in the top eight most used, they were primarily used for content streaming and not social media. Far from suddenly becoming a completely transparent nation, and in spite of US praise, it would seem that North Korea is instead moving distinctly in the opposite direction in response to foreign attention.

According to Priscilla Moriuchi, director for strategic threat development at Recorded Future, “these statements from the President [Trump] are in contrast to what we have observed in North Korean leadership's online behaviour. Our data reveals increasing attempts at secrecy and evasion as opposed to openness. Over the last six months, North Korea’s elite have moved nearly completely away from using Western social media to using Chinese services and dramatically increased their use of anonymisation technologies.

“What is evident here is the difference between data and diplomacy - or actions vs words. What Kim is saying to the world and what his leadership team are doing appear to be two different things. This dichotomy speaks to the motivation and intentions of the Kim regime in pursuing talks with South Korea and the United States."

The viral crisis

Although the change in online activity is indicative of the regime’s changing approach to the digital space, there are multiple possible reasons for the shift. There has technically been a ban on Western social media services since April 2016 that could be receiving new enforcement, a general increase in operational security may have prompted the change, or it may be that, although not in the spirit of transparency it is currently trying to display, the regime is concerned about the level of scrutiny levelled its way.

Of greater concern are the cyber operations that are being undertaken abroad and the specific placement of cyber operatives in foreign countries.

On the lesser end of the spectrum of concern is the usage of operators and programmers living in facilities outside of North Korea with the goal of earning money for the regime by scamming online games and users; according to one defector they were required to earn nearly $100,000 a year. Recorded Future’s research, both in July and December, found that there were eight nations (though the number has remained the same, two of the list have changed between July and December) in which North Koreans have been placed to conduct revenue-generation activities and obtain advanced education.

“Regardless of whether a military strike is actually on the cards or not, what matters is whether they think one might happen.”

Beyond revenue generation, which, while designed to circumvent sanctions placed on North Korea, presents relatively little threat to other countries, the greatest source of alarm is North Korea’s seemingly escalating cyber-attacks. The past few years have seen several major attacks, largely against South Korea, attributed to the North but none perhaps are as prevalent as the WannaCry attack.

According to cybersecurity company Crowdstrike’s co-founder and CTO Dmitri Alperovitch, who spoke to the Guardian in February, North Korea poses a larger cyber threat than Russia. Given that Crowdstrike is the firm that investigated the 2016 Democratic National Committee hacks, that is no small statement.

Speaking to the Guardian, Alperovitch said: “In 2018, my biggest worry is actually about North Korea. I worry a great deal that they may do a destructive attack, perhaps against our financial sector, in an attempt to deter a potential US strike against either their nuclear facilities or even the regime itself.

“Regardless of whether a military strike is actually on the cards or not, what matters is whether they think one might happen. And given all the rhetoric over the last year or so, it wouldn’t be irrational for them to assume that.”

Although the rhetoric around North Korea’s nuclear programme has since calmed down, and the talks being organised hint at the possibility of some form of denuclearisation or at least regulation, the fact remains that the regime is capable, both in regards to their nuclear weaponry and cyber capability, of inflicting vast damage. It should remain of great concern not only that North Korea possesses such capability, but that, in spite of assertions otherwise, it is clearly still a long way from full transparency and cannot be trusted in the face of threat, either perceived or real.

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang